From 3ba05bcb05f042a7c8f8ede8e02ac5c3f21969c8 Mon Sep 17 00:00:00 2001
From: rob thijssen <grenade@rob.tn>
Date: Thu, 7 May 2026 08:41:16 +0300
Subject: [PATCH] chore: setup hosting environment

---
 asset/nginx/blekin.kosherinata.internal.conf |  8 +-
 asset/systemd/step-kosherinata@.service      | 15 ++++
 script/setup.sh                              | 92 ++++++++++++++++++++
 3 files changed, 114 insertions(+), 1 deletion(-)
 create mode 100644 asset/systemd/step-kosherinata@.service
 create mode 100755 script/setup.sh

diff --git a/asset/nginx/blekin.kosherinata.internal.conf b/asset/nginx/blekin.kosherinata.internal.conf
index f42ac5d..ff656b7 100644
--- a/asset/nginx/blekin.kosherinata.internal.conf
+++ b/asset/nginx/blekin.kosherinata.internal.conf
@@ -1,6 +1,12 @@
 server {
-    listen 80;
     server_name blekin.kosherinata.internal;
+    listen 443 ssl;
+    http2 on;
+
+    ssl_certificate /etc/nginx/tls/cert/blekin.kosherinata.internal.pem;
+    ssl_certificate_key /etc/nginx/tls/key/blekin.kosherinata.internal.pem;
+    #ssl_trusted_certificate /etc/pki/ca-trust/source/anchors/root-internal.pem;
+    ssl_protocols TLSv1.3;
 
     root /var/www/blekin.kosherinata.internal;
     index index.html;
diff --git a/asset/systemd/step-kosherinata@.service b/asset/systemd/step-kosherinata@.service
new file mode 100644
index 0000000..95e4ecc
--- /dev/null
+++ b/asset/systemd/step-kosherinata@.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=step cert renew for %i.kosherinata.internal
+Documentation=https://smallstep.com/docs/step-ca/renewal
+
+[Service]
+Type=oneshot
+ExecCondition=/usr/bin/step certificate needs-renewal \
+    /etc/nginx/tls/cert/%i.kosherinata.internal.pem
+ExecStart=/usr/bin/step ca renew \
+    --force \
+    --ca-url https://ca.internal \
+    --root /etc/pki/ca-trust/source/anchors/root-internal.pem \
+    /etc/nginx/tls/cert/%i.kosherinata.internal.pem \
+    /etc/nginx/tls/key/%i.kosherinata.internal.pem
+ExecStartPost=/usr/bin/systemctl reload nginx.service
diff --git a/script/setup.sh b/script/setup.sh
new file mode 100755
index 0000000..84d2cb1
--- /dev/null
+++ b/script/setup.sh
@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+
+ui_host=oolon.kosherinata.internal
+ws_host=frootmig.kosherinata.internal
+app_fqdn=blekin.kosherinata.internal
+
+fedora_trusted_root_path=/etc/pki/ca-trust/source/anchors/root-internal.pem
+fedora_intermediate_path=/etc/pki/ca-trust/source/anchors/intermediate-internal.pem
+
+
+#ssh ${ui_host} sudo mkdir -p /etc/nginx/tls/${app_fqdn}
+app_cert_is_valid=false
+app_cert_remote_path=/etc/nginx/tls/cert/${app_fqdn}.pem
+app_key_remote_path=/etc/nginx/tls/key/${app_fqdn}.pem
+app_cert_local_path=/tmp/${app_fqdn}.pem
+
+if rsync \
+    --archive \
+    --compress \
+    --rsync-path 'sudo rsync' \
+    ${ui_host}:${app_cert_remote_path} \
+    ${app_cert_local_path} 2> /dev/null; then
+    if openssl verify \
+        -trusted ${fedora_trusted_root_path} \
+        -untrusted ${fedora_intermediate_path} \
+        ${app_cert_local_path}; then
+        echo "verified ${app_fqdn} cert from ${ui_host}"
+        app_cert_is_valid=true
+    else
+        echo "failed to verify ${app_fqdn} cert from ${ui_host}"
+        exit 1
+    fi
+else
+    echo "observed missing ${app_fqdn} cert on ${ui_host}"
+fi
+if [ "${app_cert_is_valid}" = "true" ]; then
+    echo "observed valid cert for ${app_fqdn} on ${ui_host}"
+else
+    if rsync \
+        --archive \
+        --compress \
+        --rsync-path 'sudo rsync' \
+        --chmod 600 \
+        --chown root:root \
+        ~/.step/secrets/provisioner \
+        ${ui_host}:/tmp/provisioner; then
+        echo "provisioner secret synced to ${ui_host}"
+    else
+        echo "failed to sync provisioner secret to ${ui_host}"
+        exit 1
+    fi
+    if ssh ${ui_host} sudo step ca certificate \
+        --force \
+        --provisioner lair \
+        --provisioner-password-file /tmp/provisioner \
+        --ca-url https://ca.internal \
+        --root /etc/pki/ca-trust/source/anchors/root-internal.pem \
+        --san ${app_fqdn} \
+        ${app_fqdn} \
+        ${app_cert_remote_path} \
+        ${app_key_remote_path}; then
+        echo "acquired ${app_fqdn} cert on ${ui_host}"
+    else
+        echo "failed to acquire ${app_fqdn} cert on ${ui_host}"
+    fi
+    ssh ${ui_host} sudo rm -f /tmp/provisioner
+fi
+
+if rsync \
+    --archive \
+    --compress \
+    --rsync-path 'sudo rsync' \
+    --chown root:root \
+    ~/git/grenade/blekin/asset/nginx/${app_fqdn}.conf \
+    ${ui_host}:/etc/nginx/sites-available/${app_fqdn}.conf; then
+    echo "${app_fqdn}.conf synced to ${ui_host}"
+else
+    echo "failed to sync ${app_fqdn}.conf to ${ui_host}"
+fi
+if ssh ${ui_host} sudo ln -sf /etc/nginx/sites-available/${app_fqdn}.conf /etc/nginx/sites-enabled/${app_fqdn}.conf; then
+    echo "${app_fqdn} enabled on ${ui_host}"
+else
+    echo "failed to enable ${app_fqdn} on ${ui_host}"
+fi
+if ssh ${ui_host} 'sudo nginx -t && sudo systemctl reload nginx.service'; then
+    echo "nginx reloaded on ${ui_host}"
+else
+    echo "failed to reload nginx on ${ui_host}"
+fi
+
+
+# sudo useradd --system --create-home --home-dir /var/lib/blekin --user-group blekin